Scott Cantor wrote:
or to remove it entirely, because I don't think it's
a best current practice for secure authentication.
Personally, I don't think removing it is going to be a service to the
community, because this is the current practice, even if it is not the
best one.
Since nothing's referencing this specification yet anyway, why not outline
what people should do, rather than what they are doing?
Personally I am hoping that updated versions of documents referenced in
the Appendix will point to this document. Such updated protocols will
either have a backward compatibility issue (if text about use of CN is
removed), or will have to copy the text about use of CN. The latter kind
of defeats the purpose of having a document that serves as a cookbook
for TLS server identity verification in protocols.
This is not to say that I am against discouraging use of CN in
certificates. I am against discouraging by omission.
A previous note mentioned the fact that DNs are hierarchical paths into a
directory. This, of course, is not true;
This part is actually true, by definition of a DN.
X.500 does not exist as a
global/going concern, so DNs are in fact misleading in this context.
X.509 is using X.500 constructs such as DNs. So lack of global X.500
infrastructure is irrelevant in this case.
As a side note: some CAs use X.500 Directories internally, so DNs
specified in certificates they issue correspond to DNs in their Directories.
Let's stop pretending otherwise.
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
